FireQOS Reference
Transcription
FireQOS Reference
FireQOS Reference Copyright (c) 2004,2013-2014 Costa Tsaousis costa@tsaousis.org Copyright (c) 2012-2014 Phil Whineray phil@sanewall.org Version master-30f2168 (Built 24 Oct 2014) Contents 1 FireQOS Reference 1.1 1.2 1.3 2 Running and Configuring FireQOS . . . . . . . . . . . . . . . . . 2 1.1.1 fireqos(1) . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1.2 fireqos.conf(5) . . . . . . . . . . . . . . . . . . . . . . . . . 5 Organising Traffic with FireQOS . . . . . . . . . . . . . . . . . . 8 1.2.1 fireqos-interface(5) . . . . . . . . . . . . . . . . . . . . . . 8 1.2.2 fireqos-class(5) . . . . . . . . . . . . . . . . . . . . . . . . 10 1.2.3 fireqos-match(5) . . . . . . . . . . . . . . . . . . . . . . . 14 Optional Parameters for FireQOS Commands . . . . . . . . . . . 16 1.3.1 fireqos-params(5) . . . . . . . . . . . . . . . . . . . . . . . 16 1.3.2 fireqos-params-class(5) . . . . . . . . . . . . . . . . . . . . 17 1.3.3 fireqos-params-match(5) . . . . . . . . . . . . . . . . . . . 23 1 The latest version of this manual is available online as a PDF, as single page HTML and also as multiple pages within the website. 1 1.1 1.1.1 FireQOS Reference Running and Configuring FireQOS fireqos(1) NAME fireqos - an easy to use but powerful traffic shaping tool SYNOPSIS fireqos CONFIGFILE [start | debug] [ – conf-arg . . . ] fireqos { stop | clear_all_qos } fireqos status [name [ dump [class]]] fireqos { dump | tcpdump } name class [ tcpdump-arg . . . ] fireqos { drops | overlimits | requeues } name DESCRIPTION FireQOS is a helper to assist you configure traffic shaping on Linux. Run without any arguments, fireqos will present some help on usage. When given CONFIGFILE, fireqos will use the named file instead of /etc/firehol/fireqos.conf as its configuration. The parameter name always refers to an interface name from the configuration file. The parameter class always refers to a named class within a named interface. It is possible to pass arguments for use by the configuration file separating any conf-arg values from the rest of the arguments with --. The arguments are accessible in the configuration using standard bash(1) syntax e.g. $1, $2, etc. COMMANDS start; debug Activates traffic shaping on all interfaces, as given in the configuration file. When invoked as debug, FireQOS also prints all of the tc(8) commands it executes. 2 stop Removes all traffic shaping applied by FireQOS (it does not touch QoS on other interfaces and IFBs used by other tools). clear_all_qos Removes all traffic shaping on all network interfaces and removes all IFB devices from the system, even those applied by other tools. status Shows live utilisation for the specified interface. FireQOS will show you the rate of traffic on all classes, adding one line per second (similarly to vmstat, iostat, etc.) If dump is specified, it tcpdumps the traffic in the given class of the interface. tcpdump; dump FireQOS temporarily mirrors the traffic of any leaf class to an IFB device. Then it runs tcpdump(8) on this interface to dump the traffic to your console. You may add any tcpdump(8) parameters you like to the command line, (to dump the traffic to a file, match a subset of the traffic, etc.), for example this: fireqos tcpdump adsl-in voip -n will start a tcpdump of all traffic on interface adsl-in, in class voip. The parameter -n is a tcpdump(8) parameter. Note When FireQOS is running in tcpdump mode, it locks itself and will refuse to run in parallel with another FireQOS altering the QoS, or tcpdumping other traffic. This is because FireQOS reserves device ifb0 for monitoring. If two FireQOS processes were allowed to tcpdump in parallel, your dumps would be wrong. So it locks itself to prevent such a case. drops Shows packets dropped per second, per class, for the specified interface. overlimits Shows packets delayed per second, per class, for the specified interface. requeues Shows packets requeued per second, per class, for the specified interface. FILES /etc/firehol/fireqos.conf 3 SEE ALSO • fireqos.conf(5) - FireQOS configuration file • FireHOL Website • FireHOL Online PDF Manual • FireHOL Online HTML Manual • tc(8) - show / manipulate traffic control settings • tcpdump(8) - show / manipulate traffic control settings 4 1.1.2 fireqos.conf(5) NAME fireqos.conf - FireQOS configuration file DESCRIPTION This file defines the traffic shaping that will be applied by fireqos(1). The default configuration file is /etc/firehol/fireqos.conf. It can be overridden from the command line. A configuration consists of a number of input and output interface definitions (see fireqos-interface(5)). Each interface can define any number of (optionally nested) classes (see fireqos-class(5)) which shape the traffic which they match (see fireqos-match(5)). SPEED UNITS In FireQOS, speeds can be expressed in the following units: #bps # bytes per second #kbps; #Kbps # kilobytes per second #mbps; #Mbps # megabytes per second #gbps; #Gbps # gigabytes per second #bit # bits per second #kbit; #Kbit; # # kilobits per second (default) #mbit; #Mbit # megabits per second #gbit; #Gbit # gigabits per second #% In a class, uses this percentage of the enclosing rate. Note The default, kbit is different to tc(8) which assumes bytes per second when no unit is specified. 5 EXAMPLE # incoming traffic from my ADSL router interface eth2 adsl-in input rate 10500kbit adsl remote pppoe-llc class voip commit 100kbit pfifo match udp ports 5060,10000:10100 # asterisk sip and rtp match udp ports 16393:16402 # apple facetime class realtime commit 10% match tcp port 22,1195:1198,1753 # ssh, openvpn, pptp match udp port 53 # dns match proto GRE match icmp match tcp syn match tcp ack class clients commit 10% match tcp port 20,21,25,80,143,443,465,873,993 # mail, web, ftp, etc # unmatched traffic goes here (’default’ is a special name) class default max 90% # I define torrents beneath the default class, so they slow # down when the default class is willing to get bandwidth class torrents max 90% match port 51414 # my torrent client # outgoing traffic to my ADSL router interface eth2 adsl-out output rate 800kbit adsl remote pppoe-llc class voip commit 100kbit pfifo match udp ports 5060,10000:10100 # asterisk sip and rtp match udp ports 16393:16402 # apple facetime class realtime commit 10% match tcp port 22,1195:1198,1753 # ssh, openvpn, pptp match udp port 53 # dns match proto GRE match icmp match tcp syn match tcp ack class clients commit 10% match tcp port 20,21,25,80,143,443,465,873,993 # mail, web, ftp, etc # unmatched traffic goes here (’default’ is a special name) 6 class default max 90% # I define torrents beneath the default class, so they slow # down when the default class is willing to get bandwidth class torrents max 90% match port 51414 # my torrent client SEE ALSO • fireqos(1) - FireQOS program • fireqos-interface(5) - QOS interface definition • fireqos-class(5) - QOS class definition • fireqos-match(5) - QOS traffic match • FireHOL Website • FireHOL Online PDF Manual • FireHOL Online HTML Manual • tc(8) - show / manipulate traffic control settings 7 1.2 1.2.1 Organising Traffic with FireQOS fireqos-interface(5) NAME fireqos-interface - create an interface definition SYNOPSIS { interface | interface4 } device name direction [optional-class-params] { rate | commit | min } speed interface46 . . . interface6 . . . DESCRIPTION Writing interface or interface4 applies traffic shaping rules only to IPv4 traffic. Writing interface6 applies traffic shaping rules only to IPv6 traffic. Writing interface46 applies traffic shaping rules to both IPv4 and IPv6 traffic. The actual traffic shaping behaviour of a class is defined by adding classes. See fireqos-class(5). Note To achieve best results with incoming traffic shaping, you should not use 100% of the available bandwidth at the interface level. If you use all there is, at 100% utilisation of the link, the neighbour routers will start queuing packets. This will destroy prioritisation. Try 85% or 90% instead. PARAMETERS device This is the interface name as shown by ip link show (e.g. eth0, ppp1, etc.) name This is a single-word name for this interface and is used for retrieving status information later. direction If set to input, traffic coming in to the interface is shaped. If set to output, traffic going out via the interface is shaped. 8 optional-class-params For a list of optional class parameters which can be applied to an interface, see fireqos-params-class(5). speed For an interface, the committed speed must be specified with the rate option. The speed can be expressed in any of the units described in fireqos.conf(5). EXAMPLES To create an input policy on eth0, capable of delivering up to 1Gbit of traffic: interface eth0 lan-in input rate 1Gbit SEE ALSO • fireqos.conf(5) - FireQOS configuration file • fireqos-class(5) - QOS class definition • fireqos-params-class(5) - QOS class parameters • FireHOL Website • FireHOL Online PDF Manual • FireHOL Online HTML Manual 9 1.2.2 fireqos-class(5) NAME fireqos-class - traffic class definition SYNOPSIS {class|class4|class6|class46} [group] name [optional-class-params] {class|class4|class6|class46} group end DESCRIPTION There is also an optional match parameter called class; see fireqos-paramsmatch(5). Writing class inherits the IPv4/IPv6 version from its enclosing interface (see fireqos-interface(5)). Writing class4 includes only IPv4 traffic in the class. Writing class6 includes only IPv6 traffic in the class. Writing class46 includes both IPv4 and IPv6 traffic in the class. The actual traffic to be matched by a class is defined by adding matches. See fireqos-match(5). The sequence that classes appear in the configuration defines their priority. The first class is the most important one. Unless otherwise limited it will get all available bandwidth if it needs to. The second class is less important than the first, the third is even less important than the second, etc. The idea is very simple: just put the classes in the order of importance to you. Classes can have their priority assigned explicitly with the prio parameter. See fireqos-params-class(5). Note The underlying Linux qdisc used by FireQOS, HTB, supports only 8 priorities, from 0 to 7. If you use more than 8 priorities, all after the 8th will get the same priority (prio 7). All classes in FireQOS share the interface bandwidth. However, every class has a committed rate (the minimum guaranteed speed it will get if it needs to) and a ceiling (the maximum rate this class can reach, provided there is capacity available and even if there is spare). 10 Classes may be nested to any level by using the class group syntax. By default FireQOS creates nested classes as classes directly attached to their parent class. This way, nesting does not add any delays. FireQOS can also emulate new hardware at the group class level. This may be needed, when for example you have an ADSL router that you connect to via Ethernet: you want the LAN traffic to be at Ethernet speed, but WAN traffic at ADSL speed with proper ADSL overheads calculation. To accomplish hardware emulation nesting, you add a linklayer definition (ethernet, adsl, atm, etc.), or just an mtu to the group class. FireQOS will create a qdisc within the class, where the linklayer parameters will be assigned and the child classes will be attached to this qdisc. This adds some delay to the packets of the child classes, but allows you to emulate new hardware. For linklayer options, see fireqos-params-class(5). There is special class, called default. Default classes can be given explicitly in the configuration file. If they are not found in the config, FireQOS will append one at the end of each interface or class group. PARAMETERS group It is possible to nest classes by using a group. Grouped classes must be closed with the class group end command. name This is a single-word name for this class and is used for displaying status information. optional-class-params The set of optional class parameters to apply to this class. The following optional class parameters are inherited from the interface the class is in: • ceil • burst • cburst • quantum • qdisc If you define one of these at the interface level, then all classes within the interface will get the value by default. These values can be overwritten by defining the parameter on the class too. Optional class parameters not in the above list are not inherited from interfaces. 11 EXAMPLES To create a nested class, called servers, containing http and smtp: interface eth0 lan input rate 1Gbit class voip commit 1Mbit match udp ports 5060,10000:10100 class group servers commit 50% match tcp class mail commit 50% match port 25 # define the parent class # apply to all child classes # 50% of parent (’servers’) # matches within parent (’servers’) class web commit 50% match port 80 class group end # end the group ’servers’ class streaming commit 30% To create a nested class which emulates an ADSL modem: interface eth0 lan output rate 1Gbit ethernet class lan match dst 192.168.0.0/24 # LAN traffic class group adsl rate 10Mbit ceil 10Mbit adsl remote pppoe-llc match all # all non-lan traffic in this emulated hardware group class voip # class within adsl match udp port 5060 class web # class within adsl match tcp port 80,443 class group end SEE ALSO • fireqos-params-class(5) - QOS class parameters • fireqos(1) - FireQOS program • fireqos.conf(5) - FireQOS configuration file • fireqos-interface(5) - QOS interface definition 12 • fireqos-match(5) - QOS traffic match • FireHOL Website • FireHOL Online PDF Manual • FireHOL Online HTML Manual 13 1.2.3 fireqos-match(5) NAME fireqos-match - QOS traffic match SYNOPSIS {match|match4|match6|match46} optional-match-params DESCRIPTION Writing match inherits the IPv4/IPv6 version from its enclosing class (see fireqosclass(5)). Writing match4 includes only IPv4 traffic in the match. Writing match6 includes only IPv6 traffic in the match. Writing match46 includes both IPv4 and IPv6 traffic in the match. You can add as many match statements as you like to a FireQOS configuration. They assign traffic to a class: by default to the class after which they are declared. The sequence that matches appear in the configuration defines their priority, with the first match being given a prio of 10, with 10 added for each subsequent match (10, 20, 30, . . . ). Matches can have their priority assigned explicitly with the prio parameter. See fireqos-params-match(5). If one match statement generates multiple tc(8) filter statements, all filters generated by the same match statement will have the same prio. Note match rules are attached to the parent of the class they appear in. Within the configuration they are written under a class, but in reality they are attached to their class parent, so that they classify the parent’s traffic that they match, into the class. It is also possible to group all match statements together below the classes. This allows them to be arranged in preferred order, without the need for any explicit prio parameters. In this case however, each match statement must specify to which class it classifies the packets it matches, using the class parameter. See fireqos-params-match(5) and the examples below. PARAMETERS optional-match-params The set of optional parameters which describe this match. See fireqos-params-match(5). 14 EXAMPLES Match traffic within classes: interface eth0 lan output rate 1Gbit class voip match udp ports 5060,10000:10100 class dns match udp port 53 class mail match tcp port 25 Matches split out and explicitly assigning traffic to classes (N.B. without the class parameters, all traffic would be classified into ‘mail’): interface eth0 lan output rate 1Gbit class voip class dns class mail match udp ports 5060,10000:10100 class voip match tcp port 25 class mail match tcp port 80 class web SEE ALSO • fireqos-params-match(5) - QOS match parameters • fireqos(1) - FireQOS program • fireqos.conf(5) - FireQOS configuration file • fireqos-interface(5) - QOS interface definition • fireqos-class(5) - QOS class definition • FireHOL Website • FireHOL Online PDF Manual • FireHOL Online HTML Manual • tc(8) - show / manipulate traffic control settings 15 1.3 Optional Parameters for FireQOS Commands 1.3.1 fireqos-params(5) NAME fireqos-params - shared class/match parameters SYNOPSIS prio priority DESCRIPTION Some optional parameter names are the same for both class and match. This page exists as a placeholder to help you find the appropriate documentation. If you are searching for FireQOS parameters in general, see both fireqos-paramsclass(5) and/or fireqos-params-match(5) depending upon your need. prio For the class version, see fireqos-params-class(5). For the match version, see fireqos-params-match(5). priority For the class version, see fireqos-params-match(5). For the match version, see fireqos-params-class(5). SEE ALSO • fireqos-params-class(5) - QOS class parameters • fireqos-params-match(5) - QOS match parameters • FireHOL Website • FireHOL Online PDF Manual • FireHOL Online HTML Manual 16 1.3.2 fireqos-params-class(5) NAME fireqos-params-class - optional class parameters SYNOPSIS rate | commit | min speed ceil | max speed minrate speed { qdisc qdisc-name | pfifo|bfifo|sfq|fq_codel|codel|none } [options “qdisc-options”] prio { 0..7 | keep | last } { linklayer linklayer-name } | { adsl {local|remote} encapsulation } | ethernet | atm mtu bytes mpu bytes tsize size overhead bytes r2q factor burst bytes cburst bytes quantum bytes priority | balanced DESCRIPTION All of the options apply to interface and class statements. Units for speeds are defined in fireqos.conf(5). rate, commit, min When a committed rate of speed is provided to a class, it means that the bandwidth will be given to the class when it needs it. If the class does not need the bandwidth, it will be available for any other class to use. For interfaces, a rate must be defined. For classes the rate defaults to 1/100 of the interface capacity. 17 ceil, max Defines the maximum speed a class can use. Even there is available bandwidth, a class will not exceed its ceil speed. For interfaces, the default is the rate speed of the interface. For classes, the defaults is the ceil of the their interfaces. minrate Defines the default committed speed for all classes not specifically given a rate in the config file. It forces a recalculation of tc(8) r2q. When minrate is not given, FireQOS assigns a default value of 1/100 of the interface rate. qdisc qdisc-name, pfifo, bfifo, sfq, fq_codel, codel, none The qdisc defines the method to distribute class bandwidth to its sockets. It is applied within the class itself and is useful in cases where a class gets saturated. For information about these, see the Traffic Control Howto A qdisc is only useful when applied to a class. It can be specified at the interface level in order to set the default for all of the included classes. To pass options to a qdisc, you can specify them through an environment variable or explicitly on each class. Set the variable FIREQOS_DEFAULT_QDISC_OPTIONS_qdiscname in the config file. For example, for sfq: FIREQOS_DEFAULT_QDISC_OPTIONS_sfq="perturb 10 quantum 2000". Using this variable each sfq will get these options by default. You can still override this by specifying explicit options for individual qdiscs, for example to add some sfq options you would write: class classname sfq options "perturb 10 quantum 2000" The options keyword must appear just after the qdisc name. prio (class) Note There is also a match parameter called prio, see fireqos-paramsmatch(5). 18 HTB supports 8 priorities, from 0 to 7. Any number less than 0 will give priority 0. Any number above 7 will give priority 7. By default, FireQOS gives the first class priority 0, and increases this number by 1 for each class it encounters in the config file. If there are more than 8 classes, all classes after the 8th will get priority 7. In balanced mode (see balanced, below), all classes will get priority 4 by default. FireQOS restarts priorities for each interface and class group. The class priority defines how the spare bandwidth is spread among the classes. Classes with higher priorities (lower prio) will get all spare bandwidth. Classes with the same priority will get a percentage of the spare bandwidth, proportional to their committed rates. The keywords keep and last will make a class use the priority of the class just above / before it. So to make two consecutive classes have the same prio, just add prio keep to the second one. linklayer linklayer-name, ethernet, atm The linklayer can only be given on interfaces. It is used by the kernel to calculate the overheads in the packets. adsl adsl is a special linklayer that automatically calculates ATM overheads for the link. local is used when the ADSL modem is directly attached to your computer (for example a PCI card, or a USB modem). remote is used when you have an ADSL router attached to an ethernet port of your computer. When one is using PPPoE pass-through, so there is an ethernet ADSL modem (not router) and PPP is running on the Linux host, the option to choose is local. Note This special case has not yet been demonstrated for sure. Experiment a bit and if you find out, let us know to update this page. In practice, this parameter lets the kernel know that the packets it sees, have already an ethernet header on them. encapsulation can be one of (all the labels on the same line are aliases): • IPoA-VC/Mux or ipoa-vcmux or ipoa-vc or ipoa-mux, 19 • IPoA-LLC/SNAP or ipoa-llcsnap or ipoa-llc or ipoa-snap • Bridged-VC/Mux or bridged-vcmux or bridged-vc or bridged-mux • Bridged-LLC/SNAP or bridged-llcsnap or bridged-llc or bridged-snap • PPPoA-VC/Mux or pppoa-vcmux or pppoa-vc or pppoa-mux • PPPoA-LLC/SNAP or pppoa-llcsnap or pppoa-llc or pppoa-snap • PPPoE-VC/Mux or pppoe-vcmux or pppoe-vc or pppoe-mux • PPPoE-LLC/SNAP or pppoe-llcsnap or pppoe-llc or pppoe-snap If your adsl router can give you the mtu, it would be nice to add an mtu parameter too. For detailed info, see here. mtu Defines the MTU of the interface in bytes. FireQOS will query the interface to find its MTU. You can overwrite this behaviour by giving this parameter to a class or interface. mpu Defines the MPU of the interface in bytes. FireQOS does not set a default value. You can set your own using this parameter. tsize FireQOS does not set a default size. You can set your own using this parameter. overhead FireQOS automatically calculates the bytes overhead for ADSL. For all other technologies, you can specify the overhead in the config file. r2q FireQOS calculates the proper r2q factor, so that you can control speeds in steps of 1/100th of the interface speed (if that is possible). Note The HTB manual states that this parameter is ignored when a quantum have been set. By default, FireQOS sets quantum to interface MTU, so r2q is probably is ignored by the kernel. 20 burst burst specifies the number of bytes that will be sent at once, at ceiling speed, when a class is allowed to send traffic. It is like a ‘traffic unit’. A class is allowed to send at least burst bytes before trying to serve any other class. burst should never be lower that the interface mtu and class groups and interfaces should never have a smaller burst value than their children. If you do specify a higher burst for a child class, its parent may get stuck sometimes (the child will drain the parent). By default, FireQOS lets the kernel decide this parameter, which calculates the lowest possible value (the minimum value depends on the rate of the interface and the clock speed of the CPU). burst is inherited from interfaces to classes and from group classes to their subclasses. FireQOS will not allow you to set a burst at a subclass, higher than its parent. Setting a burst of a subclass higher than its parent will drain the parent class, which may be stuck for up to a minute when this happens. For this check to work, FireQOS uses just its configuration (it does not query the kernel to check how the value specified in the config file for a subclass relates to the actual value of its parent). cburst cburst is like burst, but at hardware speed (not just ceiling speed). By default, FireQOS lets the kernel decide this parameter. cburst is inherited from interfaces to classes and from group classes to their subclasses. FireQOS will not allow you to set a cburst at a subclass, higher to its parent. Setting a cburst of a subclass higher than its parent, will drain the parent class, which may be stuck for up to a minute when this happens. For this check to work, FireQOS uses just its configuration (it does not query the kernel to check how the value specified in the config file for a subclass relates to the actual value of its parent). quantum quantum specifies the number of bytes a class is allowed to send at once, when it is borrowing spare bandwidth from other classes. By default, FireQOS sets quantum to the interface mtu. quantum is inherited from interfaces to classes and from group classes to their subclasses. 21 priority, balanced These parameters set the priority mode of the child classes. priority priority is the default mode, where FireQOS assigns an incremental priority to each class. In this mode, the first class takes prio 0, the second prio 1, etc. When a class has a higher prio than the others (higher = smaller number), this high priority class will get all the spare bandwidth available, when it needs it. Spare bandwidth will be allocate to lower priority classes only when the higher priority ones do not need it. balanced balanced mode gives prio 4 to all child classes. When multiple classes have the same prio, the spare bandwidth available is spread among them, proportionally to their committed rate. The value 4 can be overwritten by setting FIREQOS_BALANCED_PRIO at the top of the config file to the prio you want the balanced mode to assign for all classes. The priority mode can be set in interfaces and class groups. The effect is the same. The classes that are defined as child classes, will get by default the calculated class prio based on the priority mode given. These options affect only the default prio that will be assigned by FireQOS. The default is used only if you don’t explicitly use a prio parameter on a class. Note There is also a match parameter called priority, see fireqos-paramsmatch(5). SEE ALSO • fireqos(1) - FireQOS program • fireqos.conf(5) - FireQOS configuration file • fireqos-interface(5) - QOS interface definition • fireqos-class(5) - QOS class definition • FireHOL Website • FireHOL Online PDF Manual • FireHOL Online HTML Manual 22 1.3.3 fireqos-params-match(5) NAME fireqos-params-match - optional match parameters SYNOPSIS at { root | name } class name syn|syns ack|acks { proto|protocol protocol [,protocol. . . ] } |tcp|udp|icmp|gre|ipv6 { tos | priority } tosid [,tosid. . . ] mark mark [,mark. . . ] { port | ports } port[:range] [ ,port[:range]. . . ] { sport | sports } port[:range] [ ,port[:range]. . . ] { dport | dports } port[:range] [ ,port[:range]. . . ] { ip | net | host } net [,net. . . ] src net [,net. . . ] dst net [,net. . . ] prio id DESCRIPTION These options apply to match statements. at By default a match is attached to the parent of its parent class. For example, if its parent is a class directly under the interface, then the match is attached to the interface and is compared against all traffic of the interface. For nested classes, a match of a leaf, is attached to the parent class and is compared against all traffic of this parent class. With the at parameter, a match can be attached any class. The name parameter should be a class name. The name root attaches the match to the interface. 23 class Defines the name of the class that will get the packets matched by this match. By default it is the name of the class the match statement appears under. Note There is also a class definition for traffic, see fireqos-class(5). syn, syns Match TCP SYN packets. Note that the tcp parameter must be specified. If the same match statement includes more protocols than TCP, then this match will work for the TCP packets (it will be silently ignored for all other protocols). For example, syn is ignored when generating the UDP filter in the below: match tcp syn match proto tcp,udp syn ack, acks Same as syn, but matching TCP ACK packets. proto, protocol, tcp, udp, icmp, gre, ipv6 Match the protocol in the IP header. tos, priority Match to TOS field of ipv4 or the priority field of ipv6. The tosid can be a value/mask in any format tc(8) accepts, or one of the following: • min-delay, minimize-delay, minimum-delay, low-delay, interactive • maximize-throughput, maximum-throughput, max-throughput, highthroughput, bulk • maximize-reliability, maximum-reliability, max-reliability, reliable • min-cost, minimize-cost, minimum-cost, low-cost, cheap, normal-service, normal Note There is also a class parameter called priority, see fireqos-paramsclass(5). 24 mark (QOS) Match an iptables(8) MARK. Matching iptables(8) MARKs does not work on input interfaces. You can use them only on output. The IFB devices that are used for shaping inbound traffic do not have any iptables hooks to allow matching MARKs. If you try it, FireQOS will attempt to do it, but currently you will get an error from the tc(8) command executed. ports, sports, dports Match ports of the IP header. ports will create rules for matching source and destination ports (separate rules for each). dports matches destination ports, sports matches source ports. ip, net, host, src, dst Match IPs of the IP header. ip, net and host will create rules for matching source and destination IPs (separate rules for each). src matches source IPs and dst destination IPs. Note If the class these matches appear in are IPv4, then only IPv4 IPs can be used. To override use match6 ... src/dst *IPV6_IP* Similarly, if the class is IPv6, then only IPv6 IPs can be used. To override use match4 ... src/dst *IPV4_IP*. You can mix IPv4 and IPv6 in any way you like. FireQOS supports inheritance, to figure out for each statement which is the default. For example: interface46 eth0 lan output rate 1Gbit # ipv4 and ipv6 enabled class voip # ipv4 and ipv6 class, as interface is both match udp port 53 # ipv4 and ipv6 rule, as class is both match4 src 192.0.2.1 # ipv4 only rule match6 src 2001:db8::1 # ipv6 only rule class4 realtime # ipv4 only class match src 198.51.100.1 # ipv4 only rule, as class is ipv4-only class6 servers # ipv6 only class match src 2001:db8::2 # ipv6 only rule, as class is ipv6-only To convert an IPv4 interface to IPv6, just replace interface with interface6. All the rules in that interface, will automatically inherit the new protocol. Of course, if you use IP addresses for matching packets, make sure they are IPv6 IPs too. 25 prio (match) Note There is also a class parameter called prio, see fireqos-paramsclass(5). All match statements are attached to the interface. They forward traffic to their class, but they are actually executed for all packets that are leaving the interface (note: input matches are actually output matches on an IFB device). By default, the priority they are executed, is the priority they appear in the configuration file, i.e. the first match of the first class is executed first, then the rest matches of the first class in the sequence they appear, then the matches of the second class, etc. It is sometimes necessary to control the order of matches. For example, when you want host 192.0.2.1 to be assigned the first class, except port tcp/1234 which should be assigned the second class. The following will not work: interface eth0 lan output rate 1Gbit class high match host 192.0.2.1 class low match host 192.0.2.1 port 1234 # Will never match In this case, the first match is assigned priority 10 and the second priority 20. The second match will never match anything, since all traffic for the host is already matched by the first one. Setting an explicit priority allows you to change the order in which the matches are executed. FireQOS gives priority 10 to the first match of every interface, 20 to the second match, 30 to the third match, etc. So the default is 10 x the sequence number. You can set prio to overwrite this number. To force executing the second match before the first, just set a lower priority for it. For example, this will cause the desired behaviour: interface eth0 lan output rate 1Gbit class high match host 192.0.2.1 class low match host 192.0.2.1 port 1234 prio 1 # Matches before host-only 26 SEE ALSO • fireqos(1) - FireQOS program • fireqos.conf(5) - FireQOS configuration file • fireqos-match(5) - QOS traffic match • FireHOL Website • FireHOL Online PDF Manual • FireHOL Online HTML Manual 27